Optimization of the multivariate polynomial public key for quantum safe digital signature

Kuang, Perepechaenko, and Barbeau recently proposed a novel quantum-safe digital signature algorithm called Multivariate Polynomial Public Key or MPPK/DS. The key construction originated with two univariate polynomials and one base multivariate polynomial defined over a ring. The variable in the univariate polynomials represents a plain message. All but one variable in the multivariate polynomial refer to noise used to obscure private information. These polynomials are then used to produce two multivariate product polynomials, while excluding the constant term and highest order term with respect to the message variable. The excluded terms are used to create two noise functions. Then four produced polynomials, masked with two randomly chosen even numbers over the ring, form the Public Key. The two univariate polynomials and two randomly chosen numbers, behaving as an encryption key to obscure public polynomials, form the Private Key. The verification equation is derived from multiplying all of the original polynomials together. MPPK/DS uses a special safe prime to prevent private key recovery attacks over the ring, forcing adversaries to solve for private values over a sub-prime field and lift the solutions to the original ring. Lifting entire solutions from the sub-prime field to the ring is designed to be difficult based on security requirements. This paper intends to optimize MPPK/DS to reduce the signature size by a fifth. We added extra two private elements to further increase the complexity of the private key recovery attack. However, we show in our newly identified optimal attack that these extra private elements do not have any effect on the complexity of the private recovery attack due to the intrinsic feature of MPPK/DS. The optimal key-recovery attack reduces to a Modular Diophantine Equation Problem or MDEP with more than one unknown variables for a single equation. MDEP is a well-known NP-complete problem, producing a set with many equally-likely solutions, so the attacker would have to make a decision to choose the correct solution from the entire list. By purposely choosing the field size and the order of the univariate polynomials, we can achieve the desired security level. We also identified a new deterministic attack on the coefficients of two univariate private polynomials using intercepted signatures, which forms a overdetermined set of homogeneous cubic equations. To the best of our knowledge, the solution to such a problem is to brute force search all unknown variables and verify the obtained solutions. With those optimizations, MPPK/DS can offer extra security of 384 bit entropy at 128 bit field with a public key size being 256 bytes and signature size 128 or 256 bytes using SHA256 or SHA512 as the hash function respectively.


Related work. National Institute of Standards and Technology (NIST) started the standardization process
of Post-Quantum Cryptography (PQC) in 2017 8 with 69 candidates. The first round ended in 2019 with 26 candidates entering into the second round 9 . Only four candidates for KEM: code-based Classic McEliece 10 and lattice-based CRYSTALS-KYBER 11 , NTRU 12 , and SABER, as well as three candidates for digital signatures: latticebased CRYSTALS-DILITHIUM 13 and FALCON 14 , and multivariate Rainbow 15 entered into the third round in 2021 16 . Kyber became the only KEM candidate for standardization as announced by NIST in 17 , and CRYSTALS-Dilithium, FALCON, and SPHINCS+ 18 are the three digital signature candidates for standardization. Following this announcement, NIST issues a new call for digital signatures and emphasized that the primary interest is in general-purpose signature schemes that are not based on structured lattices. Some vulnerabilities of NIST round 3 finalists were reported in early 2022. Damien Robert in 2022 first reported an attack on the Supersingular Isogeny Diffie-Hellman or SIDH 19 in polynomial time 20 , and later Castryck and Decru reported their more efficient key recovery attack on SIDH 21 , achieving key recovery for NIST security level V in less than 2 h with a laptop. A new cryptoanalysis was recently proposed by Wenger et al. in 2022 22 , using Machine Learning or ML for secret recovery of the lattice-based schemes. Their proposed attack can fully recover secrets for small-to-midsize LWE instances with sparse binary secrets, up to lattice dimensions of d = 128 , and may scale to attack real-world LWE-based cryptosystems. Attacking lattice-based schemes with ML transformers seems to be a promising area, thus, the team is working on further advancing the capability of their attack to target larger parameter sets. However, it is still unclear of the amount of time and resources needed to achieve this goal. Nevertheless, this attack opened the door to an entirely new era of cryptoanalysis using ML, especially when combining ML with quantum computing. Among the digital signature schemes Rainbow scheme, based on a multivariate public key cryptosystem, had a reported attack. Ward Beullens in early 2022 reported an attack on Rainbow that uses a standard laptop and requires an average of 53 h 23 . These recent attacks on well-explored PQC algorithms indicate that further exploration of novel PQC algorithms for both KEM and Digital signature are highly necessary.
On the other hand, Gottesman and Chuang in 2001 proposed a scheme of quantum digital signature or QDS by importing the ideas of classical public key cryptography into the quantum world based on their proposed quantum one-way function 24 32 . Although QDS offers the information theoretical secure digital signature, Gottesman and Chuang 24 have pointed out its disadvantages such as impossible to sign a general unknown quantum state, limited copies of the public key to be shared with recipients, especially its limitation of applicability over today's internet. In addition to the mentioned limitations, the signature performance using QDS may be another limitation. The reported signature rates are varied such as the recorded breakthrough rate 0.98 s/bit at 103 km from Ding et al. in 2020 33 and 14.9 s/bit efficient QDS without symmetrization step from Lu et al. 32 . In general, QDS signature performance is about six orders of magnitude smaller than QPC digital signature performance.
In contrast to QDS for quantum secure digital signature with some limitations as discussed in the above, PQC digital signature schemes would be much more applicable for Quantum Key Distribution or QKD. It is well-known that QKD requires a classical channel for the post-processing, requiring trusted authentication to avoid the Man-in-The-Middle or MITM attack. With PQC digital signature, QKD could eliminate the pre-shared secret which is always the weak point for QKD. QDS may be able to apply for short distance QKD, but for a long distance QKD such as Twin-Field QKD over 830 km by Wang et al. in 2022 34 , QKD network by Fan-Yuan et al. in 2021 35 and in 2022 36 , quantum safe digital signature would make the entire communication networks be quantum safe without the pre-shared secret.

MPPK/DS optimization
In MPPK/DS 1 , the security parameters are the generalized safe prime p = 2 x q + 1 , with x ∈ Z + and an odd prime q, a positive integer n, representing the order of message variable x 0 in the base multivariate polynomial B(x 0 , x 1 , . . . , x m ) , and a positive integer representing the order of univariate polynomials f (x 0 ) and h(x 0 ) . Variable x 0 is associated with the secret, while variables x 1 , . . . , x m represent noise. The noise variables in the base multivariate polynomial B(x 0 , x 1 , . . . , x m ) enable the signature verifier to have the freedom to generate various values of the public key polynomials P(·), Q (·) as well as noise functions N 0 (·) and N m (·) for the same secret x 0 but different noise values. We generally maintain these definitions of security parameters in this paper.
In this section, we will first briefly describe the MPPK DS, followed by the key construction with the above optimization considerations, next derive the signature verification equation, then establish the signing algorithm and finally discuss the verification algorithm. For the remainder of this work, we replace ϕ(p) with p − 1 and The motivation of MPPK. The fundamental idea of multivariate polynomial public key or MPPK is rooted to a simple algebra equation with two univariate polynomial f (x 0 ) , h(x 0 ) and a common multivariate polynomial B(x 0 , x 1 , . . . , x m ) . Equation (1) demonstrates following very interesting characteristics: • the division is invariant from any B(x 0 , x 1 , . . . , x m ) , regardless its specific expression and the number of variables x 1 , . . . , x m . It is always dictated by f (x 0 ) and h(x 0 ). • it implies that we can establish a new public key algorithm with the private key to be f (x 0 ) and h(x 0 ) and the public key to be P(x 0 , x 1 , . . . , x m ) and Q (x 0 , x 1 , . . . , x m ). • it is naturally to consider the variable x 0 as the message variable for the secret exchange and variables x 1 , . . . , x m as noise variables. On the other hand, Eq. (1) can be rewritten with a cross-multiplication form as which can be used to develop a signature verification equation by leveraging a fact: if a = b mod ϕ(p) , then for any g = 0, 1 ∈ F p , g a = g b mod p . That is the central idea of MPPK DS. Certain techniques must be applied to protect the private key from the public key and the signature attacks. Some key features from MPPK DS are • small sizes of private key, public key and signature, generally smaller than RSA-2048.
• better performance for key generation, signing, and verifying, comparing with NIST DS candidates.
• generic for any devices from ARM to X86.
• randomized signing with a base g per signing and randomized verifying with noise variables.
Key construction. Unless stated otherwise, all the arithmetic during the key generation procedure is performed modulo p − 1 . Using the same definitions as in the MPPK/DS 6 , we randomly choose three polynomials with over the ring Z/(p − 1)Z , a base multivariate polynomial of order n www.nature.com/scientificreports/ with B j (x 0 ) = n i=0 x i 0 , and two univariate polynomials of order We have simplified the monomials in MPPK/DS 6 , and consider only the monomials of the form x i 0 x j as in Eq. (3). The base polynomial can be considered as a linear multivariate polynomial with coefficients being univariate polynomials B j (x 0 ) for all j = 1, . . . , m.
Two product polynomials φ(·) and ψ(·) are then constructed as and with φ kj = s+t=k f s c tj and ψ kj = s+t=k h s c tj . Equation (5) can be rewritten as with and Eq. (6) can be rewritten as with We refer to the multivariate product polynomials φ(x 0 , x 1 , . . . , x m ) and ψ(x 0 , x 1 , . . . , x m ) as plain product polynomials. They can not be directly used as public key as there exists a polynomial time factorization algorithm on univariate polynomials 3 . In order to protect the plain product polynomials, we consider their components separately. First, we mask the components B 0 (·) and B n (·) with randomly chosen even numbers R 0 , R n ∈ Z/(p − 1)Z respectively, producing two functions and The functions N 0 (x 1 , . . . , x m ) and N n (x 0 , x 1 , . . . , x m ) are called noise functions in MPPK/DS 6 . Then we randomly choose two number α and β from Z p−1 such that GCD(α, p − 1) = 1 and GCD(β, p − 1) = 1 , to obscure �(·) and �(·) as with q j (x 0 ) = n+ −1 k=1 (βR n ψ kj mod (p-1)) . We refer to the polynomials P(·), Q (·) as well as noise functions N 0 (·), N n (·) as modular multiplicatively encrypted polynomials. These polynomials form the public key: Q (x 0 , x 1 , . . . , x m ) = (βR n �(x 0 , x 1 , . . . , x m )) mod (p-1) = m j=1 n+ −1 k=1 (βR n ψ kj mod (p-1) www.nature.com/scientificreports/ • N n (x 0 , x 1 , . . . , x m ) , which we denote N n [m] • P(x 0 , x 1 , . . . , x m ) , which we denote P [(n + − 1) × m] An attentive reader will notice that Eqs. (13) and (14) are essentially the same as in MPPK/DS in 6 except for the multiplication by the values α, β , and every term is associated with a noise variable. The private key of the optimized MPPK/DS consists of Derivation of the verification equation. We start from the following equation modulo p − 1 Multiplying Eq. (15) by R 0 R n on both sides and using Eq. (5) to (14), we can derive the following expression where We now randomly choose a base g = 0, 1 ∈ F p , and take the base g to the power of expression in Eq. (16) as follows Then we define the signature to be comprised of the following elements Using Eq. (19), we derive the signature verification equation from Eq. (18) as follows Although we can use original private polynomials f (x 0 ) and h(x 0 ) , together with private secret values R 0 , R n , α, β as the private key, it is far better to use the derived univariate polynomials in Eq. (17) as the private key to avoid potential side-channel attacks on polynomial evaluations 38 . Now we form the key pair for the optimized MPPK/DS: The total public key size is then calculated as 2m(n + ) elements of Z/(p − 1)Z and private key size as 4 + 2 elements of Z/(p − 1)Z . The signature sizes are 4 × L with L to be the length of the signing message. It is clear that optimized MPPK/DS reduces the signature size from 5 to 4 elements of F p .
Signing with optimized MPPK/DS. Signing with optimized MPPK/DS is a straightforward three-step process: 1. Generate the hash code with given message/document m: x 0 = HASH(m) , and if the hash returns with a length |x 0 | 2 larger than field length log 2 p , then segment it into segments x 0 [i] over Z/(p − 1)Z . Perform steps 2 and 3 for each segment x 0 [i] and concatenate them together to form the signature tuple.
3. Randomly choose a base g from F p and evaluate A = gā mod p, B = gb mod p, C = g¯c mod p, D = gd mod p .
Note that g is chosen differently for every message m. www.nature.com/scientificreports/ The tuple S = {A, B, C, D} forms the signature for the message/document m. With the randomly chosen base g = 0, 1 , MPPK/DS naturally enables randomized signature, even for the same message m, repeated signing would produce a totally different signature.
Verifying with optimized MPPK/DS. Verifying a signature S = {A, B, C, D} signed by a true signer is also straightforward, using the verification equation Eq. (18). It, too, is a three-step process: 1. Generate the hash code with given message/document m: x 0 = HASH(m) , and if the hash returns with a length |x 0 | 2 larger than field length log 2 p , then segment it into segments x 0 [i] over Z/(p − 1)Z and also segment each signature element into segments S[i]. Perform steps 2 and 3 for each segment 3. Verify if AQ = BP CN 0 DN n mod p is true. If it is true, the verification is successful. The verification can be repeatedly performed as many times as the verifier wants with different choices of noise variables.
Toy example. In this subsection, we use a toy example to demonstrate how the optimized MPPK/DS works.

Security analysis
To be considered quantum-safe, an algorithm or protocol must meet the following criteria: • Resistance to known quantum attacks: The algorithm or protocol should be resistant to known quantum attacks. Fault-tolerant scalable quantum computers are capable of efficiently solving the integer factoring problem and the discrete logarithm problem, which form the security basis of most of the commonly used digital signatures schemes today. • Security: The algorithm or protocol should provide the same level of security as existing digital signature schemes or higher. This means that it should be resistant to all known classical attacks, and that corresponding quantum security level still meets desired entropy requirements.
In this section, we present attacks on the optimized MPPK/DS scheme that we have discovered up to this date, and provide estimates of the complexity of these attacks. Any attack on MPPK/DS entails selective forgery of the signatures. In other words, the goal of the adversary is to generate a malicious signature that will pass the verification process. We discuss private key attacks, signature attacks, as well as direct spoofing attacks. These attacks and their corresponding complexities are summarized in "Security conclusion".
Private key recovery from public key. The adversary looking to use private key elements to generate a malicious signature that passes verification requires the knowledge of the following elements Indeed, it suffices to find these elements since the signature component A can be expressed as where g can be chosen by the adversary and x 0 is known. Similar is true for the signature element B. Signature elements C and D can be expressed as n separately as they comprise 2( + 1) + 2 elements. Alternatively, it is possible to combine values αβ and look for In the framework of MPPK/DS 6 , the public key components of MPPK/DS are even integers defined over the ring of integers Z/(p − 1)Z = Z/2 x qZ , so the inverse elements of the public key components do not exist in the ring Z/2 x qZ . Hence, an adversary trying to perpetrate an attack on the public key needs to work in a different set such as F q . The optimized version of MPPK/DS leverages the same mathematical property. Thus, the malicious party can not directly attack the public key in the framework of the optimized MPPK/DS. As an approach, the adversary can consider the public key elements modulo q since the ring Z/2 x qZ ∼ = Z/2 x Z × Z/qZ, and then lift the results to the ring Z/2 x qZ. Note that a single value modulo q is an entire equivalence class when considered modulo 2 x q . Thus, the adversary needs to either verify that the lifted value is correct or the attack must be non-deterministic.
Thus, the adversary looking for the value R ′ n = R n αβ can first find the value R ′ 0 = R 0 αβ and use this relationship to discover R ′ n with classical complexity of O ( 1 2 q) modulo q. The fraction comes form the fact that R ′ 0 and R ′ n are even numbers. Therefore, the total non-deterministic complexity for the solution set: By lifting all variables from modq to modϕ(p) , we would have a total non-deterministic complexity O (q +2−m 2 x( +3) ).
It should be understood that the attack would create a list of possible solution sets of . Of course, one of solution set from the list is the correct private key. The list can be shorten by utilizing intercepted signatures: Using A k and B k , one can create an equation with a purposely selected generator ḡ ∈ F p , Ā k = logḡ A k , B k = logḡ B k and t k for x 0 in the signature S k . In a similar way, one can obtain another equation with C k and D k www.nature.com/scientificreports/ Considered modulo q, the above two equations can be reduced to a single equation: We did not find an efficient way to directly solve the above equations for k = 1, 2, . . . , K , even for a large overdetermined equation system, except for the brute search. However, these equations obtained from the signatures could be used to verify all private key: f ′ 0 , . . . , f ′ , h ′ 0 , . . . , h ′ , obtained in the key recovery from the public key, and possibly produce a deterministic solution set of f ′ 0 , . . . , f ′ , h ′ 0 , . . . , h ′ , with a complexity O ( √ p log 2 p) , counting the complexity from the discrete logarithms. Then remaining unknowns R ′ 0 , R ′ n make the attack still be probabilistic with overall complexity O ([ √ p log 2 p]q +2−m 2 x[ +3] ). The major contribution from using the signatures is the length of the possible solution sets being reduced from 2q +2−m 2 x( +3) to q 2 2 2x+1 .
In conclusion, combining signatures with the public key for the key recovery attack reduces a possible solution set, however, the computational complexity is higher.  Proof Let > 1, n ≥ , and + 1 > m . Coefficients of the public key polynomials P(x 0 , x 1 , . . . , x m ) and Q(x 0 , x 1 , . . . , x m ) for a fixed j = 0 form two systems of equations of the form p kj = n+ −1 t+s=1 R 0 αf t c sj and q kj = n+ −1 t+s=1 R n βh t c sj over the ring Z/ϕ(p)Z . Using Gaussian elimination on P(·) from bottom to the top, this system of equations can be reduced to a single equation in (   www.nature.com/scientificreports/ Proof The public key component P(x 0 , x 1 , . . . , x m ) forms a system of m(n + − 1) equations with 2 + ( + 1) + m(n + 1) variables to account for α, R 0 , f i ∀i ∈ {0, . . . , } , and base polynomial coefficients c lj for j ∈ {1, . . . , m} and l ∈ {0, . . . , n} . The same is true for the public key component Q (x 0 , x 1 , . . . , x m ). Noise functions N 0 (x 1 , . . . , x m ) and N n (x 0 , x 1 , . . . , x m ) each forms a system of m equations in m + 1 variables. Thus, considered individually each of the public key elements form an underdetermined system. Considered together, they form a system with 2m(n + − 1) + 2m equations and 2 + 2 + 2( + 1) + m(n + 1) variables to account for the common base polynomial coefficients. This system of equations is underdetermined when 2 + 2 + 2( + 1) + m(n + 1) > 2m(n + − 1) + 2m or equivalently when 6 + 2 + m > mn + 2m . Otherwise, this system of equations is overdetermined and can be solved for the private key elements modulo q.  . These values are then used to solve for the coefficients of R 0 αf (x 0 ) as for both j = j 1 and j = j 2 . The same strategy is applied to the coefficients of the polynomial Q(x 0 , x 1 , . . . , x m ) for j = j 1 and j = j 2 . Computational complexity of these step is (log 2 p + log p) . To verify the correct solution, the versifier can search for values c sj that yield the same R 0 f t and R n h t for j = j 1 and j = j 2 . Note that generally, there might be more than a single solution that satisfies this property. However, we assume that the adversary is at the advantage and they are in the scenario where only a single such solution exists. In this case, the adversary determined values R 0 f ′ t , R n h ′ t for t ∈ {0, . . . , } and c sj for s ∈ {0, . . . , n} , j = j 1 and j = j 2 . The adversary can leverage base polynomial coefficients considered in conjunction with noise functions to obtain R 0 as n 0j 1 c 0j 1 and R n as There are a few more pieces of information that the adversary needs, namely values f ′ t and h ′ t and the value αβ. The adversary can reduce values R 0 f ′ t and R n h ′ t as well as R 0 , R n mod q to calculate f ′ t and h ′ t . These values then need to be lifted back to the ring Z/ϕ(p)Z. Classical computational bit complexity of this step is O (2 × 2 x( +1) ) . The adversary can verify if the lift is successfully by comparing lifted values multiplied by R 0 and R n correspondingly to known values R 0 f ′ t , R n h ′ t . Having values f ′ t , h ′ t , R 0 , R n , the adversary need the value αβ which they can find using brute force search over the ring Z/ϕ(p)Z. The overall complexity of this attack is O (ϕ(p) 2(n+1)+1 (log 2 p + log p)2 x( +1)+1 ). www.nature.com/scientificreports/ Proposition 3.7 There exists a non-deterministic attack on MPPK/DS with classical complexity of O (2q 4−( +1) 2 x( +1) ϕ(p)) , when n = 2 and < 3.

Proof
The number of public key equations produced using coefficients of the polynomial P(x 0 , x 1 , . . . , x m ) is n + − 1 for a given j. When we choose n = 2 , the number of public key equations becomes + 1 , which is equal to the number of coefficients of the private univariate polynomial f (x 0 ) or h(x 0 ) . Under this consideration, we can establish the following equation with public key coefficients for j = j 1 and j = j 2 where c ′ ij = R 0 c ij . The above matrix equation can be expanded into + 1 equations with 4 unknowns: Due to the fact of all public key coefficients are even integers, we can only carry out the solution for modq with a complexity O (q 4−( +1) ) . With the knowledge of the values c ′ 11 , c ′ 21 , c ′ 12 , c ′ 22 , we can then solve for The obtained solution can be verified using similar equation system for j = j 2 . Note that these solutions were obtained modulo q, and need to be lifted to the ring Z/ϕ(p)Z. The complexity of the lifting step is O (2 x( +1) ). The adversary still needs the value R ′ 0 = R 0 αβ which can be found using brute force search over Z/ϕ(p)Z. All the steps can be repeated to find values h ′ t = βh t for all t ∈ {0, . . . , } and R ′ n . The overall complexity of this attack is O (2q 4−( +1) 2 x( +1) ϕ(p)) .
Many of the attacks that we have discovered on the original MPPK/DS scheme 6 , also apply to the optimized version of the MPPK signature scheme. For reasons of simplicity, we will direct the reader to a detailed description of the given attacks in 6 and give their classical complexities when considered in the framework of the optimized MPPK/DS. Proof The attack is described in detail in Claim 4.7 of MPPK/DS 6 . All of the arithmetic is done modulo q unless stated otherwise. To adapt this attack to the optimized version we point out that after a brute force search for R 0 the matrices considered are with p ′ kj = 1 R 0 p kj . The adversary then uses brute force search to find values αf i ∀i ∈ {0, . . . , }. The complexity at this stage is O (q 1+( +1) ). Once the base polynomial coefficients are found and used to find the values βR n h i ∀i ∈ {0, . . . , } , the adversary can also use the base polynomial coefficients together with the noise functions to find values R 0 and R n . As stated in 6 , Claim 4.7, all of this values are found modulo q. The adversary then needs to find the value αβ. To do that, the adversary can brute force search for the value αβ. All of the solutions need to be lifted to the ring Z/(p − 1)Z , the adversary can follow the same steps as described in Proposition 3.5. In fact, instead of lifting R 0 , R n , αβ separately, the attacker can lift R ′ 0 = R 0 αβ , R ′ n = R n αβ . The overall complexity then is O ([q ( +2) + q]2 x(2( +1)+2) ). www.nature.com/scientificreports/ for the optimized DS. We lift the values altogether. The classical complexity of this step is 2 x(4 +4) . The total classical complexity is then O (4( + 1)p +1 √ p log p2 x(4 +4) ).
Note that it is possible to combine key-recovery attacks and attacks that use intercepted signatures. The best such attack is given as Proposition 3.1. We showed, however, that to the best of our knowledge, this combination does not benefit the attacker. In particular, we believe that using intercepted signatures reduces the number of possible solutions, however it increases the complexity of the attack. In part, this is due to a fact that each signature is associated with a new base g, which introduces a new unknown variable for every signature considered. To eliminate g, the attacker has to combine signature elements. This combination increases the complexity during the lifting process.
We conclude that the most optimal attack on the signature in the framework of the Optimized MPPK/DS has classical complexity of O (2(2 + 1)q √ p log p2 x(2( +1)+2) ϕ(p)) as described in Proposition 3.11.
Spoofing attacks. Here we describe the most optimal direct spoofing attack that we have discovered on the Optimized MPPK/DS. This attack is inspired by the attacking mechanism described in 6 , Proposition 4.15. Note that this attack does not apply to the original version of the MPPK/DS signature scheme, as described in 6 , due to the signature element E.
The calculation of A we estimate to increase the complexity to O (p 3+δ ) . Here, δ = 1 if the technique to obtain A is brute-force search using classical computers. In this case, the classical complexity is O (mp 4 ) with classical computers. The complexity of this attack on a quantum computer can be significantly reduced due to Shor's algorithm with δ = 0 . We then obtain the complexity to be O ( mp 3 ).
In NIST PQC security description 39 , it should be noted that NIST is primarily concerned with attacks that use classical (rather than quantum) queries to the signing oracle. We interpret it as NIST being primarily concerned with the security of private keys rather than the spoofing attacks because spoofing must be performed per signing message which is not efficient. Based on this consideration, we set the complexity of MPPK/DS to O (mp 4 ) operations of modular exponentiation.
The time complexity of spoofing can be calculated based on the complexity of the bit operation of the modular exponentiation: O ((log 2 p) 3 ) . We have total m × 4 modular exponentiation evaluations so the overall time complexity is O (m (log 2 p) 12 p 4 ) Security conclusion. We have discovered four different ways to attack the Optimized MPPK/DS scheme, namely key-recovery attack using the knowledge of a public key, key-recovery attack using the knowledge of the signature, a combination of the two, and direct spoofing. In most cases, the adversary can not solve for any www.nature.com/scientificreports/ private information modulo ϕ(p) directly due to even coefficients of the public key elements, thus the attacker is reduced to solving for the private key elements modulo q, and then lifting the solutions back to the ring Z/ϕ(p)Z. Hence, in most cases the best complexity of the attack has form O (q r 2 xs ), where the values r, s depend on the security parameters n, m, . Otherwise, the adversary can choose to brute force for some private key values but that would also lead to a high complexity of the form O (ϕ(p) r ), where r = poly(n, m, ). Note also that in most cases the adversary is faced with an underdetermined system of equations, and thus, is required to use brute force search for some values of the private key. We provide the reader with Table 1 summarizing classical complexity of the best attacks we have discovered on the Optimized MPPK/DS scheme up to this date.
Note that Optimized MPPK/DS as well as the original MPPK/DS schemes are resistant to the known quantum attacks such as attacks using Shor's algorithm. However, the attacker can benefit from using Shor's or Grover's algorithm to gain a better attacking complexity. For most of the attacks we have discovered, Grover's algorithm can be used to improve the brute force search component of the attacks. That would bring a square root speed up to the attack. We provide the reader with Table 2 illustrating quantum complexity of the best attacks we have discovered on the Optimized MPPK/DS.

Author note
We have recently became aware of an algebraic attack on MPPK/DS proposed by Hao Guo 40 . The authors acknowledge this attack and are currently making modifications to the MPPK/DS algorithm to withstand this proposed attack. It's important to note that our aim is to maintain the main structure of MPPK/ DS, while also securing it against the proposed algebraic attack and other similar attacks.

Discussions
Sizes of public key, private key, and signature. As we have shown in "Security conclusion", the best key-recovery attacks on the public key in the framework of the Optimized MPPK/DS has classical complexity of ) as shown in Propositions 3.1 and 3.2 respectively. The best attack we have discovered on the signature has classical complexity of O (2(2 + 1)q √ p log p2 x(2( +1)+2) ϕ(p)) as described in Proposition 3.11. The best direct spoofing attack has classical complexity of O (m (log 2 p) 12 p 4 ) as described in Proposition 3.13.
Although two extra private values α and β are introduced, the private key would not be increased in its size because the private key elements can be replaced with The size of the public key can be calculated as 2m(n + ) field elements. The signature size can be calculated as 4 × M , where M is the number of message segments to be signed. Based on the most efficient discovered optimal attacks given in Table 1, we provide Table 3 illustrating sample parameters of the Optimized MPPK/DS scheme configured to provide NIST security levels I, III, and V while preventing any of the discovered attacks. Indeed, the classical complexity of the remaining attacks that we have discovered is larger. We offer two categories of configurations: maximum secure or Xsecure with 384 bits of entropy for all levels, and constrained secure for IoT devices with 192 bits of entropy for level I and III and 256 bits of entropy for level V. To allow for randomized verification, the number of noise variables is set to m = 2.
The MPPK-Xsecure category is selected to be a single configuration (logq).x.n. .m = 64.64.2.2.2 for all three NIST security levels, choosing the prime field of 128 bits with a sub-prime q to be 64 bits, quadratic polynomials with respect to the message variable x 0 , two noise variables x 1 , x 2 . Based on the optimal attack in Proposition 3.2, it offers 384 bits of entropy with a public key being 256 bytes, private key being 128 bytes, and signature at 128 bytes if SHA-256 is used or 192 bytes if SHA-384 is used, or 256 bytes if SHA-512 is used. For the resource Table 1. Classical complexity of the best attacks we have discovered on the Optimized MPPK/DS scheme to this date. The most bigest signature sizes are from SPHINCS+, 60× to 390× bigger than MPPK/DS Xsecure's. Overall, it can be seen that MPPK/DS Xsecure could be an optimal generic digital signature scheme for post-quantum era, applicable for any devices.

Proposition # Classical complexity
In comparison with the original MPPK/DS 6 , optimized MPPK/DS would offer better performances in key generations, signing, and verifying for all security levels are tabulated in Table 5. Performances for standardized algorithms are taken from their submission documents 13,14,18 . Overall, MPPK/DS Xsecure outperforms all the standardized algorithms for key generation, signing and verifying procedures. For key generation, MPPK/DS Xsecure takes about 26 K cycles for all security levels, the fastest algorithm comparing with Dilithium, Falcon, and SPHING+. The second fastest algorithm in key generation is Dilithium, then third is Falcon, and the slowest is SPHINCS+ which is four orders of magnitude slower than MPPK/DS Xsecure. For signing, the relative performance is the similar to the key generation procedure, MPPK/DS is the fastest and SPHINCS+ is the slowest, again four orders of magnitude slower than MPPK/DS. It is cearly seen from Table 5 that MPPK/DS signature verification is 4 ×-6× faster than Dilithium, 10× faster than Falcon, and about 40× faster than SPHINCS+.
Consideration of side-channel resistant implementation. Using optimized MPPK/DS to sign a message, we normally first calculate the univariate polynomials a(x 0 ), b(x 0 ), c(x 0 ) , and d(x 0 ) and then perform the modular exponentiation evaluation with a randomly chosen base g from F p . These polynomial evaluations are associated with potential side-channel attacks proposed by Carlet and Prouf 38 . We propose to disassemble the polynomial evaluations into signing processes by combining polynomial evaluations and signing together as follows with the random base g, the above implementation can avoid the side-channel analysis on the polynomials. Algorithm 1 illustrates the pseudo code of the implementation for signing process. A = g a(x 0 ) mod p = g a 0 +a 1 x 0 +···+a x 0 = (g a 0 )(g a 1 ) x 0 . . . (g a ) x 0 mod p B = g b(x 0 ) mod p = g b 0 +b 1 x 0 +···+b x 0 = (g b 0 )(g b 1 ) x 0 . . . (g b ) x 0 mod p C = g c(x 0 ) mod p = g c 0 +c 1 x 0 +···+c x 0 = (g c 0 )(g c 1 ) x 0 . . . (g c ) x 0 mod p D = g d(x 0 ) mod p = g d 0 +d 1 x 0 +···+d x 0 = (g d 0 )(g d 1 ) x 0 . . . (g d ) x 0 mod p Table 5. Performance comparison of the optimized MPPK/DS Xsecure are tabulated for key generation, signing, and verifying against NIST standardized algorithms. All performance results are displayed in clock cycles. We choose SHA-256, SHA-384, and SHA-512 for MPPK/DS Xsecure security level I, III, and V respectively but only SHA-256 is selected for other standardized algorithms. That means, MPPK/DS Xsecure uses hash codes 32 bytes, 48 bytes, and 64 bytes for security level I, III, and V.

Conclusion
In this work, we presented a new version of a novel quantum-safe digital signature algorithm called Multivariate Polynomial Public Key Digital Signature (MPPK/DS) introduced by Kuang, Perepechaenko, and Barbeau 6 . We presented an optimized version of the MPPK/DS schemes, with the significantly reduced public key and signature sizes, based on the newly identified optimal attack mechanisms. Security analysis given in the original version of MPPK/DS 6 have been improved, and new more efficient attacks have been discovered. We include these attacks in this work. The optimized version of MPPK/DS does not include a fifth signature element E, and does not have any elements associated solely with the message variable x 0 compared to the original MPPK/DS. Moreover, we introduced two new private secret values α and β used to obscure the public key polynomials P(·) and Q (·) . We have provided a detailed description of the optimized MPPK/DS and illustrated it with a toy example. We also conducted an updated security analysis that includes most recent attacks that we have discovered. In particular, we describe some attacks that we have discovered on the Optimized MPPK/DS, as well as the attacks described in 6 adapted to the optimized version. One of the biggest differences in the security analysis is the discovery of the optimal key recovery attack and a new improved spoofing attack with classical complexity of O (p 4 ). The optimized MPPK/DS offers two category configurations: Xsecure for maximum secure and constrained for resource limited devices. We also point out that the optimized version of MPPK/DS has smaller signature sizes, which now only include four signature elements. The preliminary performance comparisons demonstrated that optimized MPPK/DS outperforms all standardized algorithms for key generation, signing and verying procedures. We will report benchmarking performance for both categories separately. We have also introduced side-channel resistant implementation of the optimized MPPK/DS and provide a pseudo-code for the implementation. Overall, optimized MPPK/DS is a great improvement of the original MPPK/DS scheme without any compromise to the security or the construction of the scheme. We will report on the performance of the optimized MPPK/DS separately, and will consider it as a standalone algorithm as well as in comparison with the original MPPK/DS and NIST standardization candidates to provide a full idea of the possible use cases of the optimized MPPK/DS.
We are also currently working on modifying the MPPK/DS algorithm to resist a recent attack proposed by Guo 40 .